All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SNOW TA: How to use filter_data when key-value has javascript

shandr
Path Finder
‎03-31-2021 03:28 PM

Does anybody know what my inputs.conf setting for filter_data must look like for a key-value like below?

I cannot find any detailed documentation on filter_data. And see same error when I try to use URL encoding. 

[snow://pa_job_logs4_javascript]
table = pa_job_logs
filter_data = run_time>javascript:gs.getDurationDate('0 3:0:0')&sys_created_onONLast 3 months@javascript:gs.beginningOfLast3Months()@javascript:gs.endOfLast3Months()

2021-03-31 18:04:32,776 ERROR pid=22626 tid=MainThread file=snow.py:_check_filter_data:74
| Got unexpected value run_time>javascript:gs.getDurationDate('0 3:0:0')&sys_created_onONLast 3 months@javascript:gs.beginningOfLast3Months()@javascript:gs.endOfLast3Months() of 'filter_data' field for input 'pa_job_logs4_javascript'. Enter filter parameters in key1=value1&key2=value2 format. You can either change it in inputs.conf file or edit 'Filter parameters' on Inputs page.

Above table filter seems to work with the REST API Explorer in Service Now, i.e. sysparm_query=run_time....

Is there some trick to simplify it? or a work-around?
Splunk Add-on for ServiceNow version 4.0.0

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tscroggins
Influencer
‎04-03-2021 08:52 AM

@shandr 

Splunk_TA_snow only accepts query parameters of the form key=value.

From Splunk_TA_snow/bin/snow.py:

def valid_filter_data_format(filter_data):
    """
    Parses the filter_data string and returns True if the filter_data is of the format:
    "key1=value1&key2=value2|key3=value3"
    """
    filter_data_list = re.split(r'&|\|', filter_data)
    for filter_data_value in filter_data_list:
        try:
            filter_key, filter_value = [ field.strip() for field in filter_data_value.split("=") ]
        except ValueError:
            return False
        else:
            if any((not filter_key, not filter_value)):
                return False
    return True

This is a Splunk supported app, so your best long-term option is to open a support case. Splunk will most likely categorize the case as a feature enhancement request.

ServiceNow Paris (the latest release supported by Splunk) has a significant number of operators beyond "=" for various field types that Splunk should endeavor to support in filters: https://docs.servicenow.com/bundle/paris-platform-user-interface/page/use/common-ui-elements/referen...

In the short-term, you could rewrite the valid_filter_data_format function to pass the operators you use, but you'll want to be mindful of the impact to other parts of the code that use or interpret the filter data.

View solution in original post

Reply
Solved! Jump to solution
Solution

tscroggins
Influencer
‎04-03-2021 08:52 AM

@shandr 

Splunk_TA_snow only accepts query parameters of the form key=value.

From Splunk_TA_snow/bin/snow.py:

def valid_filter_data_format(filter_data):
    """
    Parses the filter_data string and returns True if the filter_data is of the format:
    "key1=value1&key2=value2|key3=value3"
    """
    filter_data_list = re.split(r'&|\|', filter_data)
    for filter_data_value in filter_data_list:
        try:
            filter_key, filter_value = [ field.strip() for field in filter_data_value.split("=") ]
        except ValueError:
            return False
        else:
            if any((not filter_key, not filter_value)):
                return False
    return True

This is a Splunk supported app, so your best long-term option is to open a support case. Splunk will most likely categorize the case as a feature enhancement request.

ServiceNow Paris (the latest release supported by Splunk) has a significant number of operators beyond "=" for various field types that Splunk should endeavor to support in filters: https://docs.servicenow.com/bundle/paris-platform-user-interface/page/use/common-ui-elements/referen...

In the short-term, you could rewrite the valid_filter_data_format function to pass the operators you use, but you'll want to be mindful of the impact to other parts of the code that use or interpret the filter data.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...